Flame is described as enormously powerful and large, containing some 250,000 lines of code, making it far larger than other such cyberweapons. Yet it was built with gamer code, said Cedric Leighton, a retired Air Force Intelligence officer who now consults in the national security arena.

Which is unfortunate, at least because it's the part I'm most interested in. Most of what is in that report is "standard" techniques used by malware - it's the MD5 vulnerability that is completely new.

It's obvious that whoever decided to use those crypto findings into a trojan knew they would be found eventually. It gave them a temporary edge, at a cost they could live with.

This implies:

folks that matter already knew that various official entities are practicing clandestine cyber-warfare. That opened the field for doing more blatant things. Still untraceable, but very obviously non-amateurish.

this is very unlikely to be their best ammo. they knew they were throwing it away when they packaged it in the trojan.

for blowback to happen, you need to have a target to blow back at. for all its sophistication, it doesn't appear that Flame was signed.

it's not clear that whoever can do these sort of things isn't already doing them. from the sidelines, we get to see the tip of the iceberg: attacks indiscriminate and prolonged enough to be seen. victims willing to come out as such. the odds are good that there are many more things happening beyond our line of sight.

Statements from the US have indicated that if the US were to be attacked in this way, it could be considered an act of war, with no response off the table. But I honestly don't think it will make much of a difference for Iran.

Like destroying centrifuges at Natanz using Stuxnet? (recently confirmed to be a joint US-Israeli project)

And yet Iran does nothing. Such a threat there...

This reminds me of an event during the cold war, where we let Russia fly sattelites (in space) over American soil first, to establish that while the airspace belongs to the country below it, the space above it belongs to nobody.

Except that we're the ones with the state-sponsored cyberweapons, and we're using them without hesitation or stated purpose.

What is Iran going to do? Israel could easily destroy their military unless other Arab nations decided to go to war with Iran. The US could destroy their military even if all other Arab nations sided militarily with Iran. What recourse do you think that Iran is capable of that would not just invite a disproportionately harsh response?

The president of the Jordan Senate has said that although bombing Iran would be catastrophic for the region, preventing Iran from getting nukes would be worth the risk. He told this to the US ambassador.

Saudi Arabia repeatedly has urged the US to attack Iran to stop the Iranian nuclear program. See the leaked diplomatic cables for details.

Basically, no one in the region wants Iran to get nukes. They'd rather have the US be the one to take action, but I suspect that if it was Israel instead they would publicly condemn Israel, and maybe make a show of putting their militaries on alert, but in private they would be cheering.

its possible they view it as an act of war that they are undergroing, at least in the terms of espionage, but still chose to go ahead with it in a clandestine manner. You can't just assume they dont consider it an act of war when they do it.
They may accept that as true, and still go ahead with using it.

They may consider it's an act of war, if they are cyber attacked, I don't think they'll go to war anyway, as they have no proof against the originator of the attack. If China launches a generalized cyber attack against US nuclear plants the same way the US did against Iran, are the US going to declare war on China ? China is going to say "it's not us" and "you've done it".

I think you're taking one thing (that the US can have their cake and eat it too) with something that is quite different (whether the US stands for truth, justice and democracy).

While a lot of things that the US is currently engaged in are a far cry from being the standard we should be shooting for, I would like to point out (as a separate intellectual exercise, as disconnected as possible from the current reality of the US's behavior) that a country can quite easily both stand for truth, justice and democracy, and at the same time maintain a double standard regarding certain behaviors.

As an example: a country which is politically very stable, and which has a decades-long history of having (but not using) nuclear weapons, can very easily be in the right when it says "We're allowed to have nuclear weapons but you, Ukraine, are too unstable and too irresponsible to have them. Please give them back to Russia (another country that, while not exactly stable, at least has a history of responsible nuclear behavior) or we'll have to consider using force."

TL;DR: While the US is certainly contradicting itself in many ways, there is no inherent contradiction between a country behaving like the biggest kid on the block because it is, and also holding itself to a different standard than it holds others to.

Kinda like waterboarding. The Allies executed Japanese officers after World War 2 for waterboarding Allied prisoners, calling the practice a war crime. And yet when Americans are found to be waterboarding "terrorist" prisoners, US lawmakers publicly defend the practice.

Americans really are schoolyard bullies. They go around clobbering people, tormenting them, giving wedgies and purple nurples and indian burns, but when someone turns around and does the same thing to them they go into a hissyfit, call the teacher, and get the kid expelled.

Except in the world stage, replace "getting expelled" with "bringing them democracy."

With targeted viruses/worms, that have been convincingly traced back to a foreign power? I can't think of any examples. The closest thing is some things China has done, but they appear more targeted at US businesses.

Ditto by me. We got smashed about 2 years ago. The official report was that they only managed to take down our website. The unofficial report was that access was gained to multiple key servers. The unofficial unofficial report was that it was months, if not years, of planning where they managed to get a hold of multiple high level accounts via spear phishing and other social engineering hacks.

those aren't really backdoors for hacking. They're undocumented debugg stuff from vendors. Common practice in the industry. Also in order to use these "backdoors" you have to be connected to the internet using equipments provided by the vendor.

These statement's have several purposes, but none of them is to inform people of the USA's strategies for dealing with a cyber attack. First it keeps our options open so we can respond however we decide is appropriate, without going back on our word. Second it is a show strength we are reminding people that the USA has the world's most powerful military by a long shot. Finally, it is part of an attempt to convince other actors (mostly our enemies) that we are insane and would respond to a cyber attack by starting a nuclear war, so everyone will leave our computers alone out of fear of getting nuked.

The problem is that attacks like this and stuxnet are extremely difficult to engineer in the first place (requiring world-class zero-day exploits and/or cryptoanalysis), extremely easy to retask and re-aim once discovered, and extremely hard to lock down every single valuable network in a country against.

"Cyber attacks" may be nothing new, but every time a new worm or piece of malware in deployed, it's like handing a nuke to your enemy that they can turn right around and use back on you.

Writing stuxnet or flame in the first place is incredibly hard, but once it's out in the wild then getting old of a copy, reverse-engineering it, modifying the code and deploying it against the target of your choice is comparatively trivial.

Guy 1: OMG, this new vector for crypto attacks is genius.
Guy 2: Yeah, it's incredible. Only the two smartest guys in the world could have come up with this stuff.
Guy 1: You mean the smartest and most awesome guys.
Guy 2: Yeah, that's what I meant. Also, the best looking.

Yup, this is the NSA then. I don't think anyone would risk involving independent academic cryptographers in something like this, and there really aren't that many people in the world who can arrange and exploit MD5 collisions.

Most foreign nationals will never see the inside of NSA. I spent almost three years at NSA when I was with the Naval Security Group (which is now the Information Operations Directorate of the Naval Network Warfare Command). NSA deals with information that is classified above "Top Secret." In order to work at NSA, one must undergo an extensive background investigation, which pretty much rules out foreign nationals who are not on loan from their country's NSA counterpart.

With that said, there are several government agencies around the world that could have launched this attack. The cryptomathematicians at GCHQ are hardcore (Alan Turning was a cryptomathematician at GCHQ during WWII). Israel's Unit 8200 is also home to world-class cryptomathematicians and information security professionals. We also have former Soviet cryptomathematicians who may or may not being working for a government agency.

No, I have not read The Atrocity Archives. I am merely stating what I know about the cryptographic world from working for NSA at one point in my career.

NSA may be a government agency, but it is a government agency that is headed by a flag/general information warfare officer, not a career bureaucrat. Furthermore, a large portion of the NSA "operators" are uniformed members of the Central Security Service. The Naval Security Group used to be the naval component of the Central Security Service. As stated above, the Naval Security Group became the Information Operations Directorate of the Naval Network Warfare Command (NETWARCOM). Now, NETWARCOM is the naval component of the Central Security Service. The U.S. Navy created the CTN rating specifically to train young enlisted men and women in the field of network penetration. These enlisted men and women along with naval information warfare officers are part of NSA's Red and Blue Teams.

Well, what we're looking for is "organisation with world class cryptographers" and also "organisation that really has a hard-on for fucking with Iran".

If this had attacked PayPal or a bank, I would assume "regular criminals, with smart hackers".

If it had replaced every other website with lemonmparty, I would assume script kiddies got it from some eastern European hackers.

The fact that it's another virus that seems to really want to hang out in Iranian computers suggests that it's not just script kiddies. Therefore it was probably either created by or on behalf of an organised group with something against Iran. There are a few options, one of which is the US, one of which buys stuff from the US and has plenty of smart people, and many of which are not known for the quality of their cryptography.

It may not be the NSA, but there aren't exactly thousands of possibilities.

From all I've read about intelligence gathering in the English speaking world the likes of NSA, GCHQ and their Canadian, Australian and New Zealand counterparts behave and act as if they were one single entity, and not really separate organizations.

Pretty freaking easy if they have poor physical security at their house. Software does not exist in a vaccuum; and cryptographers of interest may be under the mistaken assumption that the only type of eavesdropping that will ever happen to them is the dragnet that we get with everyone that they're able to get around. Putting cameras in a house while they have to leave their house is quick and easy, and practically none will ever check for it.

Snooping on someone does not require physical bugs. Computers emit RF radiation that can be intercepted by a specially-equipped van sitting outside of one's house. That's why NSA's computers, communication systems, and facilities meet "TEMPEST" requirements. Have you ever heard of a SCIF (Sensitive Compartmented Information Facility)? A SCIF is room or group of rooms that is encapsulated inside of a Faraday cage.

A simple apparatus pointing a laser at the windows or the room inside of those you want to listen in to is enough to gain valuable information. This laser-pointer-microphone can be used even from a smaller car, so yes a van is will get you far. In a van you can put more tools and shit, to for example go in and install a physical keylogger on the targets all comm-links outside.

There are many people who could take a scientist's findings and turn them into a practical exploit, and there was no reason to involve the initial cryptographer in the trojan development process.

If we entertain the hypothetical that this wasn't NSA-bound, it raises the fun possibility of having cryptographers selling their findings to the highest bidders, in much the same way unscrupulous security bug finders can.

Are academics beyond such dubious dealings, or is the prospect of a few hundred grands paydays sufficient to enable these kind of synergies?

If you're willing to offer a cryptographer that kind of pay day, why not just hire them? It would seem silly not to. On the flip side, if you're a world class cryptographer an offer from the NSA or other appropriate agency is probably quite tempting.

There are probably some private companies that could do it. At one time, for instance, IBM was the home of world class cryptographers. They knew of differential cryptanalysis, and made DES resistant to it, something like a decade before academic cryptographers discovered it. for instance.

Actually, that was the NSA. They strengthened DES's S-boxes to be resistant to differential cryptanalysis without telling anyone why they made those changes. At the time everyone was paranoid that they had added a backdoor.

oh I'm not really an expert but I would think you still want to use password salting however just don't use MD5Hash. Best way to go is develop your own method which scrambles your password with several crypto hash functions (SHA1,SHA2,Blowfish) in a data-dependent way, so that this method is "unique" for your site in that an attacker needs to develop a unique strategy for your website instead of some wholesale method which works for a range of websites. This may be overkill tho, I believe you as long as you don't salt with MD5 then you should be fine...for now. :)

I'm not really sure if you can even say that Stuxnet was only meant for a limited target range. It's authors probably realized that is possible prep has even likely (though undesirable) that it would spread out side of the initial target range, but proceeded anyways. After all Stuxnet was a success in disabling the Iranian centrifuges, the fact that is was eventually discovered only means it wasn't a flawless success.

The only malicious part of Stuxnet, IIRC, was the part that contained an override of the PLC instructions for certain Uranium enrichment centrifuges. That is extremely specific, and if I understood this correctly, there was no use for the virus anywhere else.

You could call that collateral damage if you really wanted. Saying "it spread out of control again" sounds very much like they screwed up... where as it's pretty obvious both of these were the opposite of failure.

"Flame could only have been developed with the backing of a wealthy nation-state"

I don't quite understand if the author means to say "likely" instead of "only". Doing math does not really require a wealthy nation state. A few hundred networked computers can be organized by student groups and does not really need wealthy nations.

To pull it off, researchers had to wield the power of 200 PlayStation 3 gaming consoles.

Honestly.. This is not really that much computing power in today's terms. PS3 has a theoretical max of ~220 GFLOPS.. A geforce 680 gtx card has a theoretical max of ~3090, so you only need about 14 GPU's for the same computing power, and you can run 4 in a single computer.

You could build a few computers with modern hardware that could annihilate that 200 PS3 cluster for under $10k easily. I have more than that in my savings account.

Disclaimer: I realize floating point operations are probably not optimal for this kind of operation, but it's the most accessible measurement.

If you are not the US, it matters not what country you are. If your top high-level government officials are using computers and laptops for their top secret work with an operating system DEVELOPED AND MAINTAINED BY FREAKING AMERICANS, then what the hell... you deserve to be hacked by Americans.

Does anyone use md5 for security anymore? Maybe I don't know what I am talking about but isn't sha better? Or does flame not care about the hashing method and can find collisions with any type of hash, because that seems crazy.

It wielded the esoteric technique to digitally sign malicious code with a fraudulent certificate that appeared to originate with Microsoft. By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.

In relevant contexts I've been saying for years something like this would happen with automatic updates, and I'm dismissed as a conspiracy nut. The potential is for someone (whether a skilled computer scientist or simply a pissed-off high-level employee of some popular software company) to develop the ultimate global virus and spread it seamlessly and perfectly worldwide via Microsoft's or Google's or Mozilla's or Adobe's or Canonical's or Java's (... just how many people do you trust with your digital existence?) automatic update mechanism.

Someone evil with an opportunity to deploy such a virus overnight to hundreds of millions of computers would want to get the most bang for their buck, so what might they do? Steal corporate & political secrets? Would be a waste if they didn't. Forward all your saved email and social network conversations to everyone in your contacts? They might find that very funny. Spread propaganda? Tempting. Obliterate your private data? Easily. Brick hardware? Can be done. Subvert your entire [Internet] identity? With enough effort.

The question isn't "if", but when, what will their motives be, and how far & fast will they be able to spread it? Flame is minor. If you'd rather not be one of the canaries on the day the Big One hits, remain vigilant; back up your precious data and disconnect the back up device, delete unnecessary old stuff that's on the cloud, and most importantly, don't leave unprompted automatic updates enabled in any software.

Sorry but you've got a romanticised view of how these things work; what you say makes sense in movie-land but not really in real life - as well as the fail-safes the fact is thing like you suggest will, by it's very nature of being massively widespread, be immediately detected and a fix released.

Edit: I'll add that important computers ain't connected to anyone's update server than their own. Running wide-area corporate desktops is a well-known science nowadays and it does not involve shitty self-updaters written by OEMs.

thing like you suggest will, by it's very nature of being massively widespread, be immediately detected

Typical automatic update checks occur as often as daily, so an update containing a virus could spread fast. It might be able to spread far if it remained dormant for its first week or so. If I was going to do this, I'd compress the main payload and stick it in a block of a JPEG file in a program library, as a place where it would be quite unlikely to get scrutinized. The pathway to activate the offending code could then be trivially small and unnoticeable during reverse engineering unless you knew exactly what to look for.

and a fix released.

Viruses can easily disable (or fake) automatic updates, so the inevitable fix would not spread as quickly and easily as the virus.

I'll add that important computers ain't connected to anyone's update server than their own.

If I was going to do this, I'd compress the main payload and stick it in a block of a JPEG file in a program library, as a place where it would be quite unlikely to get scrutinized. The pathway to activate the offending code could then be trivially small and unnoticeable during reverse engineering unless you knew exactly what to look for

That's toss and we both know it. Fuck where you put your data segment, your actions will trip enough alarms that you're detected in 12 hours, confirmed in 24 and patched in 72. It's not like simple bugs haven't already cause similar scrambles.

Viruses can easily disable (or fake) automatic updates, so the inevitable fix would not spread as quickly and easily as the virus.

... and be tripping the alarms on all the honeypot machines that the AV companies maintain to catch malware.

Okay, but individuals' computers are important too.

True, indeed. But that's not really the point. Badly managed machines will get and hold malware of course, but well managed machines will not. And well managing machines is (nowadays) quite easy and so practiced by all corporates and governments.

I think you missed the part where Flame can sign code as MS. At that point it's game over, you can patch any executable, run any service, at any privilege level and the OS will doff it's cap and apologise for getting in your way.

You think a 72 hour patch turnaround will help the entire internet when their windows update dialog box says "Installing important security fix" when their machine has been infected? You think your average corporate sysadmin will check it worked (or know how to)?

The best thing to exploit is always the people involved, and if you make it easy for the lazy to say "Well, done my job, problem solved," you've got a botnet as large as you want.